From 1764cea5c7fd4f4a7af06c183822158c1e4c6fe7 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 30 May 2024 16:58:01 +0200
Subject: [PATCH] obexd: Fix buffer overrun

Don't access path at byte 2 when it might only contain a single byte.

Error: OVERRUN (CWE-119): [#def27] [important]
obexd/client/session.c:1142:2: overrun-buffer-val:
Overrunning buffer pointed to by "first" of 1 bytes by passing it to a
function which accesses it at byte offset 2.
1140|		req->index++;
1141|
1142|->		p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err);
1143|		if (*err != NULL)
1144|			return (*err)->code;
---
 gobex/gobex.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gobex/gobex.c b/gobex/gobex.c
index fdeb11c65..40d6b8129 100644
--- a/gobex/gobex.c
+++ b/gobex/gobex.c
@@ -1611,7 +1611,7 @@ guint g_obex_setpath(GObex *obex, const char *path, GObexResponseFunc func,
 
 	memset(&data, 0, sizeof(data));
 
-	if (path != NULL && strncmp("..", path, 2) == 0) {
+	if (path != NULL && strlen(path) >= 2 && strncmp("..", path, 2) == 0) {
 		data.flags = 0x03;
 		folder = (path[2] == '/') ? &path[3] : NULL;
 	} else {
-- 
2.47.3